- Query in any language with multilingual search
- Access EUR-Lex and EU Commission case law
- See relevant paragraphs highlighted instantly
Similar Documents
Explore similar documents to your case.We Found Similar Cases for You
Opinion of Advocate General Richard de la Tour delivered on 27 January 2022.
ECLI:EU:C:2022:62
62020CC0534
With us you find everything. Try it now!
I imagine what I want to write in my case, I write it in the search engine and I get exactly what I wanted. Thank you!
Valentina R., lawyer
Provisional text
delivered on 27 January 2022 (1)
Case C-534/20
Leistritz AG
LH
(Request for a preliminary ruling from the Bundesarbeitsgericht (Federal Labour Court, Germany))
( Reference for a preliminary ruling – Protection of natural persons with regard to the processing of personal data – Regulation (EU) 2016/679 – Second sentence of Article 38(3) – Data protection officer – Prohibition on dismissal for performing tasks – Legal basis – Article 16 TFEU – Validity – Requirement of functional independence – Extent of harmonisation – National legislation prohibiting the termination of a data protection officer’s employment contract without just cause – Data protection officer mandatorily designated under national law )
1.This request for a preliminary ruling from the Bundesarbeitsgericht (Federal Labour Court, Germany) concerns the interpretation and the validity of the second sentence of Article 38(3) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). (2)
2.The request has been made in proceedings between LH and her employer, Leistritz AG, concerning the termination of her employment contract on account of a departmental reorganisation, even though, under the applicable German law, LH’s contract may be terminated without notice only with just cause owing to her designation as data protection officer.
3.In this Opinion, I will set out the reasons for my view that the prohibition on dismissing data protection officers, laid down in the second sentence of Article 38(3) of Regulation 2016/679, is not the result of any harmonisation of the substantive rules of employment law. That gives Member States discretion to strengthen the protection afforded to those officers in their national legislation in various areas, in accordance with the objective pursued by that regulation.
II. Legal context
4.Recitals 10, 13 and 97 of Regulation 2016/679 state:
‘(10) In order to ensure a consistent and high level of protection of natural persons and to remove the obstacles to flows of personal data within the [European] Union, the level of protection of the rights and freedoms of natural persons with regard to the processing of such data should be equivalent in all Member States. Consistent and homogenous application of the rules for the protection of the fundamental rights and freedoms of natural persons with regard to the processing of personal data should be ensured throughout the Union. …
…
(13) In order to ensure a consistent level of protection for natural persons throughout the Union and to prevent divergences hampering the free movement of personal data within the internal market, a Regulation is necessary to provide legal certainty and transparency for economic operators, including micro, small and medium-sized enterprises, and to provide natural persons in all Member States with the same level of legally enforceable rights and obligations and responsibilities for controllers and processors, to ensure consistent monitoring of the processing of personal data, and equivalent sanctions in all Member States as well as effective cooperation between the supervisory authorities of different Member States. …
…
(97) … data protection officers, whether or not they are an employee of the controller, should be in a position to perform their duties and tasks in an independent manner.’
5.Article 1 of that regulation, headed ‘Subject matter and objectives’, provides in paragraph 1:
‘This Regulation lays down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data.’
6.Article 37 of Regulation 2016/679, headed ‘Designation of the data protection officer’, provides in paragraphs 1 and 4 to 6:
‘1. The controller and the processor shall designate a data protection officer in any case where:
(a) the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
(b) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
(c) the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 or personal data relating to criminal convictions and offences referred to in Article 10.
…
4. In cases other than those referred to in paragraph 1, the controller or processor or associations and other bodies representing categories of controllers or processors may or, where required by Union or Member State law shall, designate a data protection officer. The data protection officer may act for such associations and other bodies representing controllers or processors.
5. The data protection officer shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39.
6. The data protection officer may be a staff member of the controller or processor, or fulfil the tasks on the basis of a service contract.’
7.Article 38 of that regulation, entitled ‘Position of the data protection officer’, provides:
‘1. The controller and the processor shall ensure that the data protection officer is involved, properly and in a timely manner, in all issues which relate to the protection of personal data.
…
3. The controller and processor shall ensure that the data protection officer does not receive any instructions regarding the exercise of those tasks. He or she shall not be dismissed or penalised by the controller or the processor for performing his [or her] tasks. The data protection officer shall directly report to the highest management level of the controller or the processor.
4. Data subjects may contact the data protection officer with regard to all issues related to processing of their personal data and to the exercise of their rights under this Regulation.
5. The data protection officer shall be bound by secrecy or confidentiality concerning the performance of his or her tasks, in accordance with Union or Member State law.
6. The data protection officer may fulfil other tasks and duties. The controller or processor shall ensure that any such tasks and duties do not result in a conflict of interests.’
8. Article 39 of Regulation 2016/679 sets out the main tasks of the data protection officer.
B. German law
9.In the Bundesdatenschutzgesetz (Federal Law on data protection) of 20 December 1990, (3) in the version in force from 25 May 2018 to 25 November 2019, (4) Paragraph 6, headed ‘Position’, provides in subparagraph 4:
‘The dismissal of the data protection officer shall be permitted only by applying Paragraph 626 of the Bürgerliches Gesetzbuch [German Civil Code] accordingly. The data protection officer’s employment shall not be terminated unless there are facts that give the public body just cause to terminate without notice. The data protection officer’s employment shall not be terminated for one year after the activity as the data protection officer has ended, unless the public body has just cause to terminate without notice.’
10.Paragraph 38 of the BDSG, headed ‘Data protection officers of private bodies’, provides:
‘1. In addition to Article 37(1)(b) and (c) of Regulation … 2016/679, the controller and processor shall designate a data protection officer if they generally continuously employ at least ten persons [(5)] dealing with the automated processing of personal data. …
11.In the Civil Code, in the version published on 2 January 2002, (6) Paragraph 134, headed ‘Statutory prohibition’, reads as follows:
‘Any legal act contrary to a statutory prohibition shall be void except as otherwise provided by law.’
12.Paragraph 626 of that code, headed ‘Termination without notice with just cause’, provides:
‘1. The employment relationship may be terminated by either party to the contract with just cause without giving notice where facts are present on the basis of which the terminating party cannot reasonably be expected to continue the employment relationship to the end of the notice period or to the agreed end of the employment relationship, taking all circumstances of the individual case into account and weighing the interests of both parties to the contract.
III. The dispute in the main proceedings and the questions referred for a preliminary ruling
13.Leistritz is a company governed by private law and is required, under German law, to designate a data protection officer. LH held the positions of head of legal affairs and internal data protection officer in that company from 15 January 2018 and 1 February 2018, respectively.
14.By letter of 13 July 2018, Leistritz terminated LH’s employment contract with notice with effect from 15 August 2018, citing the undertaking’s restructuring as part of which internal legal advisory services and data protection were to be outsourced.
15.The courts adjudicating on the substance, before which LH had brought proceedings challenging the legality of the contractual termination, ruled that in accordance with the combined provisions of Paragraph 38(2) and the second sentence of Paragraph 6(4) of the BDSG, LH’s contract could only be terminated without notice with just cause, owing to her status as data protection officer. The restructuring measure cited by Leistritz does not give just cause for contractual termination without notice.
16.The referring court before which Leistritz has brought an appeal on a point of law observes that, under German law, the termination of LH’s contract is void pursuant to those provisions and Article 134 of the Civil Code. (7) Nonetheless, it points out that the applicability of those provisions depends on whether EU law, particularly the second sentence of Article 38(3) of Regulation 2016/679, allows legislation of a Member State which attaches stricter requirements to the termination of a data protection officer’s employment contract than those provided for by EU law. If it does not, the referring court would have to uphold the appeal on a point of law.
17.In those circumstances, the Bundesarbeitsgericht (Federal Labour Court) decided to stay the proceedings and to refer the following questions to the Court of Justice for a preliminary ruling:
‘(1) Is the second sentence of Article 38(3) of Regulation [2016/679] to be interpreted as precluding a provision in national law, such as Paragraph 38(1) and (2) in conjunction with the second sentence of Paragraph 6(4) of the [BDSG], which declares ordinary termination of the employment contract of the data protection officer by the data controller, who is his employer, to be impermissible, irrespective of whether his contract is terminated for performing his tasks?
(2) If the first question is answered in the affirmative:
Does the second sentence of Article 38(3) [of Regulation 2016/679] also preclude such a provision in national law if the designation of the data protection officer is not mandatory in accordance with Article 37(1) [of that regulation], but is mandatory only in accordance with the law of the Member State?
(3) If the first question is answered in the affirmative:
Is the second sentence of Article 38(3) [of Regulation 2016/679] based on a sufficient enabling clause, in particular in so far as this covers data protection officers that are party to an employment contract with the data controller?’
18.LH, Leistritz, the German and Romanian Governments, the European Parliament, the Council of the European Union and the European Commission have lodged written observations. With the exception of the German and Romanian Governments, they all presented oral argument at the hearing on 18 November 2021.
19.By its first question, the referring court asks the Court, in essence, whether the second sentence of Article 38(3) of Regulation 2016/679 is to be interpreted as precluding national legislation which provides that an employer may terminate a data protection officer’s employment contract only with just cause, even if the contractual termination is not related to the performance of the officer’s tasks.
20.In order to answer that question, it is necessary to clarify, in the first place, what is covered by the expression ‘dismissed … for performing his [or her] tasks’ which the EU legislature uses in the second sentence of Article 38(3) of Regulation 2016/679. In the second place, it will have to be determined whether Member States have discretion to extend the safeguards enjoyed by data protection officers under that provision.
1. Protection afforded to data protection officers by the second sentence of Article 38
(3) of Regulation 2016/679
21.Article 38 of Regulation 2016/679 appears in Chapter IV of that regulation, concerning the ‘Controller and processor’, specifically in Section 4, headed ‘Data protection officer’. That section contains three articles relating, respectively, to the designation of the data protection officer, (8) his or her position (9) and his or her tasks, which essentially consist in giving staffing advice on data processing and monitoring compliance with data protection rules. (10)
22.When interpreting the second sentence of Article 38(3) of Regulation 2016/679, it is necessary, according to the Court’s settled case-law, to consider not only the wording of that provision but also its context and the objectives of the legislation of which it forms part. (11)
23.As regards the wording of the second sentence of Article 38(3) of Regulation 2016/679, I note that it expresses an obligation in negative terms. It states that the data protection officer ‘shall not be dismissed or penalised by the controller or the processor for performing his [or her] tasks’. (12)
Accordingly, that provision establishes the boundaries of the protection afforded to data protection officers. They are protected against any decision which terminates their duties or places them at a disadvantage when that decision relates to the performance of their tasks.
25.Concerning the distinction between data protection officers being dismissed and being penalised, I note, first, that Regulation 2016/679 contains no provision expressly or impliedly defining those measures. (13)
26.Following a comparative examination of other language versions, two types of measures can be considered to be caught by the second sentence of Article 38(3) of Regulation 2016/679: those which bring an end to the data protection officer’s duties and those which constitute penalties or place the officer at a disadvantage, regardless of their context. Those definitions may therefore cover contractual terminations whereby the employer brings an employment contract to an end. (14)
27.The results of research into the legislative history of Article 38 of Regulation 2016/679 which I have been able to access do not, in the absence of detailed information, clarify the EU legislature’s precise intentions regarding the scope of the term ‘dismissed’. It can only be noted that the drafting insertion relating to dismissal occurred at a late stage in the legislative process (15) during which, at the same time, the following clause was removed, which appeared after ‘The controller or processor shall ensure that the data protection officer’: ‘can act in an independent manner with respect to the performance of his or her tasks’. (16)
28.I also note that the EU legislature chose to reproduce verbatim the wording of the second sentence of Article 38(3) of Regulation 2016/679 in the second sentence of Article 44(3) of Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC. (17) However, no clarification is forthcoming in the documents concerning the drafting of Regulation 2018/1725, which in my view is explained by the insertion in Article 44(8) of another essential safeguard for the data protection officer, namely that he or she ‘may be dismissed from the post by the Union institution or body which designated him or her if he or she no longer fulfils the conditions required for the performance of his or her duties and only with the consent of the European Data Protection Supervisor’.
29.Secondly, I note that no distinction is drawn in the second sentence of Article 38(3) of Regulation 2016/679 between whether or not the data protection officer is a staff member of the controller or processor. (18) That regulation contains no provision on the interdependence between decisions taken by the employer in the context of the employment relationship and those relating to the duties of the data protection officer. The only limit imposed concerns the grounds on which the data protection officer’s duties may not be terminated, that is to say, any ground related to the performance of his or her tasks.
As for the objective pursued by the EU legislature, that objective justifies the use of general wording in the second sentence of Article 38(3) of Regulation 2016/679 and the choice of that limit.
31.It is stated in the Council’s draft statement of reasons that the purpose of designating a data protection officer is to improve compliance with Regulation 2016/679. (19) That is why the second sentence of Article 38(3) of that regulation lays down obligations to ensure the independence of that officer. Thus, that article provides that the data protection officer is not to receive any instructions regarding the exercise of his or her tasks and that he or she is to report directly to the highest management level of the controller or processor. (20) He or she is also bound by secrecy or confidentiality. (21)
The focus is thus on the stringency of the oversight of the data protection officer’s duties, which is all the more warranted where that officer is designated by a controller who is his or her employer. Accordingly, the prohibition laid down in the second sentence of Article 38(3) of Regulation 2016/679 acts as a safeguard for the prerogatives enjoyed by that officer for the performance of his or her tasks, tasks which may, in some instances, be difficult to reconcile with those set by the employer in the context of the employment relationship.
37.In my view, the objective of Regulation 2016/679 set out in recital 13 thereof, under which the EU legislature ensures the independence of the data protection officer in general terms in the second sentence of Article 38(3) of that regulation, (26) vindicates the proposition that it must be possible for any other measure seeking to strengthen the independence of that officer in the performance of his or her tasks to be taken by a Member State.
38.That view is not inconsistent with the effects of a regulation, as defined in the second paragraph of Article 288 TFEU, or with the ensuing obligation on Member States not to derogate from or supplement a regulation which is binding in its entirety and directly applicable, unless the provisions of that regulation allow the Member States a margin for manoeuvre which must or may, depending on the case, be used by them in the conditions and within the limits laid down in those provisions. (27)
39.Consequently, I restate my view that the extent of the harmonisation brought about by Regulation 2016/679 varies according to the provisions under consideration. Determining the normative scope of that regulation therefore requires a case-by-case examination. (28)
40.In that connection, I note that the second sentence of Article 38(3) of Regulation 2016/679 deals with the dismissal of the data protection officer, in so far as that dismissal relates solely to the performance of the officer’s tasks, which is presumed to be proper, (29) in the form of a prohibition, without there being any stipulation as to the seriousness of the ground relied on or consideration of the various aspects of the relationship of subordination with the employer capable of having an impact on the officer’s designation. Thus, consideration is not given to, for example, the duration of the employment contract, the staffing or economic reasons for its termination, which may, in some circumstances, be negotiated, or the suspension of the employment relationship on account of sickness, training, annual leave or long-term leave.
41.Furthermore, the EU legislature’s intention to leave it to the Member States to supplement the provisions protecting the data protection officer’s independence based on a skeleton legislative framework relating to the performance of that officer’s tasks, defined in accordance with the objectives of Regulation 2016/679, is also apparent from the fact that there are no rules applying to the term of the officer’s mandate – in contrast to the provision made in the first sentence of Article 44(8) of Regulation 2018/1725 – (30) or to the situation, as here, where an undertaking’s reorganisation results in the duties of the data protection officer being outsourced for reasons unconnected with the performance of his or her tasks.
42.In consequence, Member States may decide to strengthen the independence of data protection officers, inasmuch as they contribute to the implementation of the objectives of Regulation 2016/679, specifically in relation to the termination of their employment contracts, since there is no provision of EU law capable of serving as a basis for special and concrete protection for such officers against contractual termination on grounds unrelated to the performance of their tasks, when termination of the employment relationship inevitably results in those tasks being brought to an end.
45.As is apparent from the concise review of Member States’ legislation which I was able to consult, (32) most Member States have not adopted specific provisions on contractual termination and have gone no further than the prohibition laid down in the second sentence of Article 38(3) of Regulation 2016/679, which is directly applicable. (33)
46.However, other Member States have chosen to supplement that article. (34)
47.In that regard, I note that the Article 29 Working Group took the view that, ‘as a normal management rule and as it would be the case for any other employee or contractor under, and subject to, applicable national contract or labour and criminal law, a [data protection officer] could still be dismissed legitimately for reasons other than for performing his or her tasks as a [data protection officer] (for instance, in case of theft, physical, psychological or sexual harassment or similar gross misconduct).’ (35)
Whatever the choice made by the Member States, the administrative or judicial body in each of them with responsibility for reviewing the legality of the grounds for dismissing the data protection officer also contributes, in my view, to ensuring the independence of that officer.
Since it is highly likely that the link with the satisfactory performance of the data protection officer’s tasks will not be expressly apparent from the decision to dismiss him or her, (36) general protection based solely on the status of data protection officer is possible. In the present case, it is apparent from the explanations provided by the referring court that it is the concept of ‘just cause’, as interpreted in German law, which leads to the conclusion that, in the interests of providing additional protection, the data protection officer may not be dismissed in the event of the undertaking’s restructuring. (37) In the same vein, it could also be considered that where the undertaking which is required to designate a data protection officer and has done so by choosing one of its employees faces economic difficulties, the tasks of that officer should, on account of the objective of Regulation 2016/679 and the officer’s contribution to its attainment, continue to be performed for as long as the employer continues in business.
However, the prohibition laid down in the second sentence of Article 38(3) of Regulation 2016/679 is necessarily subject to limits where there are objective shortcomings in the performance of the data protection officer’s tasks in the light of her or her obligations. Those limits must be set in accordance with the objective pursued by that regulation. (38)
51.Thus, an interpretation which is equally consistent with the objective of Regulation 2016/679 must result, in my view, in the acceptance that a data protection officer may be dismissed where he or she no longer fulfils the qualitative criteria necessary for the performance of his or her tasks, such as those set out in Article 37(5) of that regulation, or does not meet the obligations laid down in the first and third sentences of Article 38(3) and in Article 38(5) and (6) thereof, (39) or where his or her level of expertise proves to be inadequate. (40)
52.Consequently, I take the view that the second sentence of Article 38(3) of Regulation 2016/679 is to be interpreted as not precluding national legislation which provides that an employer may terminate a data protection officer’s employment contract only with just cause, even if the contractual termination is not related to the performance of the officer’s tasks.
53.However, should the Court not share that view and instead decide to answer the referring court’s first question in the affirmative, it would be necessary to answer the other two questions referred for a preliminary ruling.
54.By its second question, the referring court seeks to ascertain whether the second sentence of Article 38(3) of Regulation 2016/679 precludes national legislation which declares the termination of the data protection officer’s employment contract by his or her employer without just cause to be unlawful, even if that contractual termination is not related to the performance of his or her tasks, where the designation of the data protection officer is mandatory not under Article 37(1) of that regulation, but only under national law, as provided for in Article 37(4) of that regulation.
55.I note that neither Article 38(3) of Regulation 2016/679 nor the other provisions of Section 4 of that regulation, concerning the data protection officer, draw any distinction according to whether the designation of that officer is mandatory or optional.
56.Consequently, I take the view that the answer to be given to the referring court is that the second sentence of Article 38(3) of Regulation 2016/679 applies without there being any need to draw a distinction according to whether the data protection officer is mandatorily designated under EU law or under national law.
57.By its third question, the referring court enquires about the validity of the second sentence of Article 38(3) of Regulation 2016/679 and, specifically, whether that provision has a sufficient legal basis, in particular in so far as it covers data protection officers who are party to an employment contract with the data controller.
58.I propose that the Court should find that the second sentence of Article 38(3) of Regulation 2016/679 has a sufficient legal basis inasmuch as its sole purpose is to shield the data protection officer from obstacles which impede the performance of his or her tasks and that that safeguard, irrespective of whether or not an employment relationship exists, contributes to the effective attainment of the objectives of that regulation.
59.First, as explained in my analysis of the first question referred, (41) Article 16 TFEU is the legal basis for that regulation. Furthermore, the Court has held that that article constitutes, without prejudice to Article 39 TEU, an appropriate legal basis where the protection of personal data is one of the essential aims or components of the rules adopted by the EU legislature. (42)
60.Secondly, one of those conditions is, in my view, fully met as regards the role of the data protection officer and how that role is framed, as defined by Regulation 2016/679. The guarantee of that officer’s functional independence, which is intended to satisfy the requirement to ensure a high level of respect for the fundamental rights of the persons concerned by the processing of personal data, (43) took the form, in the second sentence of Article 38(3) of that regulation, of a prohibition on terminating his or her duties for reasons inherent in his or her tasks. Since that provision does not impose any kind of harmonisation in employment law, the EU legislature did not exceed the legislative powers conferred on it by Article 16(2) TFEU.
61.As regards compliance with the principles of subsidiarity and proportionality, which the referring court also raises, I note, first, that the upsurge in the cross-border processing of personal data provides a valid reason for the protection of such data in the light of fundamental rights to be implemented at EU level, (44) by safeguarding in particular the prerogatives of the data protection officer who is considered to be a ‘key player’ in that protection. (45) Secondly, the second sentence of Article 38(3) of Regulation 2016/679 does not seem to me to go beyond what is necessary to ensure the functional independence of that officer. It is true that the safeguard against dismissal, established in that provision, necessarily has an effect on the employment relationship. However, that effect is intended only to ensure the effectiveness of the data protection officer’s position.
62.Consequently, I take the view that the answer to be given to the referring court is that the examination of the third question referred for a preliminary ruling has disclosed nothing capable of affecting the validity of the second sentence of Article 38(3) of Regulation 2016/679.
63.In the light of all the foregoing considerations, I propose that the Court answer the questions referred for a preliminary ruling by the Bundesarbeitsgericht (Federal Labour Court, Germany) as follows:
Principally:
– The second sentence of Article 38(3) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) must be interpreted as not precluding national legislation which provides that an employer may terminate a data protection officer’s employment contract only with just cause, even if the contractual termination is not related to the performance of the officer’s tasks.
In the alternative, if the Court answers the first question referred for a preliminary ruling in the affirmative:
– The second sentence of Article 38(3) of Regulation 2016/679 applies without there being any need to draw a distinction according to whether the data protection officer is mandatorily designated under EU law or under national law.
– The examination of the third question referred for a preliminary ruling has disclosed nothing capable of affecting the validity of the second sentence of Article 38(3) of Regulation 2016/679.
* * *
(1) Original language: French.
(2) OJ 2016 L 119, p. 1, as corrected by OJ 2018 L 127, p. 2.
(3) BGBl. 1990 I, p. 2954.
(4) BGBl. 2017 I, p. 2097; ‘the BDSG’.
(5) In the first sentence of Paragraph 38(1) of the BDSG, in the version in force since 26 November 2019, the number of employees has been increased to ‘20’.
(6) BGBl. 2002 I, p. 42, corrected p. 2909, and BGBl. 2003 I, p. 738.
(7) The referring court also stated that, in accordance with its case-law, the fact that an external data protection officer will, in the future, handle data protection in an undertaking as a result of organisational changes does not give just cause for removal (see judgment of the Bundesarbeitsgericht (Federal Labour Court) No 10 AZR 562/09 of 23 March 2011, paragraph 18, available at https://www.bundesarbeitsgericht.de/entscheidung/10-azr-562-09/].
(8) Article 37 of the regulation.
(9) Article 38 of the regulation.
(10) Article 39 of the regulation.
(11) See, in particular, judgment of 12 May 2021, Bundesrepublik Deutschland (Interpol red notice) (C‑505/19, EU:C:2021:376, paragraph 77).
(12) Emphasis added.
(13) In that regard, in the document entitled ‘Guidelines on Data Protection Officers (“DPOs”)’ (‘the DPO Guidelines’), adopted on 13 December 2016 and revised on 5 April 2017, available at https://ec.europa.eu/newsroom/article29/items/612048/en, the Working Party on the Protection of Individuals with regard to the Processing of Personal Data, established by Article 29 of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (OJ 1995 L 281, p. 13) (‘the Article 29 Working Party’), stated that ‘penalties may take a variety of forms and may be direct or indirect. They could consist, for example, of absence or delay of promotion; prevention from career advancement; denial from benefits that other employees receive. It is not necessary that these penalties be actually carried out, a mere threat is sufficient as long as they are used to penalise the [data protection officer] on grounds related to his/her [data protection officer] activities’ (p. 15). After the entry into force of Regulation 2016/679, that working party was replaced by the European Data Protection Board (EDPB). The EDPB endorsed the DPO Guidelines at its first plenary meeting held on 25 May 2018 (see https://edpb.europa.eu/sites/default/files/files/news/endorsement_of_wp29_documents_en_0.pdf).
(14) As LH points out, in addition to the German-language version of the second sentence of Article 38(3) of Regulation 2016/679 (‘abberufen’), other language versions such as those in Spanish (‘destituido’), French (‘relevé’) and Portuguese (‘destituído’) clearly show that that regulation deals with the bringing to an end of the duties of the data protection officer, not the ‘employment relationship’ (‘kündigen’ in German). See also the language versions in English (‘dismissed’), Italian (‘rimosso’), Polish (‘odwoływany’) and Romanian (‘demis’).
(15) See the note of the Presidency of the Council of the European Union of 3 October 2014 on the Proposal for a Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (First reading) – Chapter IV, available at https://data.consilium.europa.eu/doc/document/ST‑13772-2014-INIT/en/pdf, concerning the insertion in Article 36(3) of that proposal of text to the effect that the data protection officer cannot be penalised for performing his or her tasks (p. 34). See also the position of the Council at first reading with a view to the adoption of a Regulation of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) of 6 April 2016, available at https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CONSIL:ST_5419_2016_INIT&from=EN, adopting the current wording of Article 38 of Regulation 2016/679.
(16) The expression ‘in an independent manner’ appears in the last sentence of recital 97 of Regulation 2016/679.
(17) OJ 2018 L 295, p. 39.
(18) See Article 37(6) of Regulation 2016/679.
(19) See the position of the Council at first reading with a view to the adoption of a Regulation of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), and repealing Directive 95/46/EC – Draft statement of the Council’s reasons of 31 March 2016, available at https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CONSIL:ST_5419_2016_ADD_1_REV_1&from=EN (p. 22). As regards the important role played by the data protection officer in the implementation of Regulation 2016/679, see recital 97 of that regulation and the officer’s tasks set out in Article 39 thereof. In that regard, the Article 29 Working Party stated in the DPO Guidelines that, before the adoption of Regulation 2016/679, it had argued that the data protection officer was ‘a cornerstone of accountability and that appointing a [data protection officer] can facilitate compliance’ (p. 4). The working party also stated that that regulation recognises the data protection officer ‘as a key player in the new data governance system’ (p. 5). See, as an illustration of the information needs of the controller or processor to whom the data protection officer is answerable, judgment of 16 July 2020, Facebook Ireland and Schrems (C‑311/18, EU:C:2020:559, paragraph 134).
(20) See the first and third sentences of Article 38(3) of Regulation 2016/679.